GeoEdge on Twitter
GeoEdge on Linkedin

© Copyright 2016 GeoEdge Ltd.  |  All rights reserved  |  Privacy Policy  |  Terms of Service

GeoEdge on Twitter

GeoEdge Detects Malvertising Campaign on Yahoo & Other Premium Publisher Sites

June 22, 2016

GeoEdge Security Lab has detected a malvertising campaign on Yahoo and a couple other premium publisher sites.  This malicious campaign was seen in the UK, Australia and NY on June 19, 2016. 

 

The Behavior

The ad shows up on the webpage telling the user to detect the speed of their site. 

This ad shows up on any browser, Chrome, Explorer, or IE. Should the user click on the ad, they will be taken to a landing page where they can download and install an extension. Once downloaded, the extension would set the homepage of the user’s browser to be the homepage of the website of the advertiser: http://www.checkspeedsearch.com/fast?first-run. 
 

Risk Assessment
GeoEdge Security Lab has identified the malware as a Trojan. According to Windows Defender, this malware is a: Trojan: Win32/Spursint.A!cl – with the alert level being “severe”.

 

The threat behavior of a typical severe malware could:
•    Download and install other malware.
•    Use user’s computer for click fraud.
•    Record keystrokes and the visited sites
•    Send information, including usernames and browsing history, to a remote malicious hacker.
•    Give a remote malicious hacker access to PC.

 

However, GeoEdge Security Lab has confirmed that this is a generic PuP Trojan file with medium level of malicious activity. The PuP only changes the homepage, but it does have the ability to get the user’s key strokes.  

 
The impact on the user experience is intrusive and disturbing.


The Source
The delivery path in the Yahoo instance went as follows: Yahoo [publisher - http://uk.lifestyle.yahoo.com/] -> AppNexus -> Yahoo Advertising -> AdSense [served the ad]

 

Below is the exact sequence before the click: 

 

1  http://uk.lifestyle.yahoo.com/
Source: Top

→ Redirects To:
 

2  https://uk.style.yahoo.com/
Referrer: http://uk.lifestyle.yahoo.com/
Source: redirect.301

→ Created SCRIPT Element/
 

3  https://s.yimg.com/rq/darla/2-9-13/js/g-r-min.js
Referrer: https://uk.style.yahoo.com/
Source: new.script.src

→ Created IFRAME Element
 

4  https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Referrer: https://uk.style.yahoo.com/
Source: new.iframe.src

→ Created SCRIPT Element
 

5  https://s.yimg.com/rq/darla/2-9-13/js/sfext-min.js
Referrer: https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Source: new.script.src

→ Created SCRIPT Element
 

6  https://secure.adnxs.com/ttj?id=5785082&cb=1466334141.742321&p
t0=130575032&pt1=300x250&pt2=https://uk.style.yahoo.com/&pt3=wI6q2QrIEhw-&pt4=PbU7ZDIxNy607Ez8V2Z7vQL0ODAuOAAAAACFnLmU&pt5=1466334141271626&pt6=${RS}|PbU7ZDIxNy607Ez8V2Z7vQL0ODAuOAAAAACFnLmU|1197784497|LREC|1466334141.742321|2-9-14:ysd:1&psa=false&pubclick=https://beap-bc.yahoo.com/yc/YnY9MS4wLjAmYnM9KDE3aG4ycmI3bihnaWQkUGJVN1pESXhOeTYwN0V6OFYyWjd2UUwwT0RBdU9BQUFBQUNGbkxtVSxzdCQxNDY2MzM0MTQxMjcxNjI2LHNpJDE0NzIxMDMyLHNwJDExOTc3ODQ0OTcsY3QkMjUseWJ4JEtrbWVmQzdQMnMubWxPSlVHYXRYSWcsbG5nJGVuLXVzLGNyJDYxMTcyNTAwMzIsdiQyLjAsYWlkJHdJNnEyUXJJRWh3LSxiaSQzNDgzMDA1MzIsbW1lJDMzMjU1NDYwNzA0OTg0MjA3NzIsciQwLHlvbyQxLGFncCQ0MzkxMTY1MzIsYXAkTFJFQykp/0/*
Referrer: https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Source: new.script.src

→ Created SCRIPT Element
 

7  https://secure.adnxs.com/ttj?ttjb=1&bdc=1466334164&bdh=J45oG4vt
YFtsAEchOrdc-2MxG1Y.&view_iv=0&view_pos=-4,-40&view_ws=1592,1081&view_vs=0&bdref=https%3A%2F%2Fuk.style.yahoo.com&bdtop=true&bdifs=1&bstk=https%3A%2F%2Fuk.style.yahoo.com,https%3A%2F%2Fs.yimg.com%2Frq%2Fdarla%2F2-9-13%2Fhtml%2Fr-sf.html&&id=5785082&cb=1466334141.742321&pt0=130575032&pt1=300x250&pt2=https://uk.style.yahoo.com/&pt3=wI6q2QrIEhw-&pt4=PbU7ZDIxNy607Ez8V2Z7vQL0ODAuOAAAAACFnLmU&pt5=1466334141271626&pt6=${RS}|PbU7ZDIxNy607Ez8V2Z7vQL0ODAuOAAAAACFnLmU|1197784497|LREC|1466334141.742321|2-9-14:ysd:1&psa=false&pubclick=https://beap-bc.yahoo.com/yc/YnY9MS4wLjAmYnM9KDE3aG4ycmI3bihnaWQkUGJVN1pESXhOeTYwN0V6OFYyWjd2UUwwT0RBdU9BQUFBQUNGbkxtVSxzdCQxNDY2MzM0MTQxMjcxNjI2LHNpJDE0NzIxMDMyLHNwJDExOTc3ODQ0OTcsY3QkMjUseWJ4JEtrbWVmQzdQMnMubWxPSlVHYXRYSWcsbG5nJGVuLXVzLGNyJDYxMTcyNTAwMzIsdiQyLjAsYWlkJHdJNnEyUXJJRWh3LSxiaSQzNDgzMDA1MzIsbW1lJDMzMjU1NDYwNzA0OTg0MjA3NzIsciQwLHlvbyQxLGFncCQ0MzkxMTY1MzIsYXAkTFJFQykp/0/*
Referrer: https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Source: new.script.src

→ Created SCRIPT Element
 

8  https://na.ads.yahoo.com/yax/banner?ve=1&tt=1&si=130575032&a
sz=300x250&u=https://uk.style.yahoo.com/&gdAdId=wI6q2QrIEhw-&gdUuid=PbU7ZDIxNy607Ez8V2Z7vQL0ODAuOAAAAACFnLmU&gdSt=1466334141271626&publisher_blob=${RS}|PbU7ZDIxNy607Ez8V2Z7vQL0ODAuOAAAAACFnLmU|1197784497|LREC|1466334141.742321|2-9-14:ysd:1&K=1
Referrer: https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Source: new.script.src

→ Created SCRIPT Element
 

9  https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Referrer: https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Source: new.script.src

→ Created SCRIPT Element
 

10 https://pagead2.googlesyndication.com/pagead/js/r20160617/r2015100
6/show_ads_impl.js
Referrer: https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Source: new.script.src

→ Created IFRAME Element
 

11 https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7382640443023261&format=300x250&output=html&h=250&slotname=3988664373%2F1314754053&adk=4045590530&w=300&loeid=108809121&avail_w=0&ea=0&flash=13.0.0&url=https%3A%2F%2Fuk.style.yahoo.com&wgl=1&dt=1466334175173&bpp=52&bdt=16610&fdt=94&idt=3040&shv=r20160617&cbv=r20151006&saldr=aa&correlator=2329085057254&frm=24&ga_vid=1665213106.1466334178&ga_sid=1466334178&ga_hid=1730412591&ga_fc=0&pv=2&icsg=2&nhd=2&dssz=2&mdo=33554432&mso=0&u_tz=0&u_his=1&u_java=1&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_nplug=5&u_nmime=42&dfs=0&adx=0&ady=0&biw=-12245933&bih=-12245933&isw=0&ish=0&ifk=2719506870&eid=20040014&oid=3&rx=0&eae=2&pc=0&brdim=%2C%2C0%2C0%2C1600%2C0%2C1280%2C800%2C0%2C0&vis=1&rsz=%7C%7Cc%7C&abl=NS&ppjl=f&pfx=0&fu=16&bc=1&ifi=1&dtd=3169
Referrer: https://s.yimg.com/rq/darla/2-9-13/html/r-sf.html
Source: new.iframe.src

→ Created IMG Element


12  https://tpc.googlesyndication.com/simgad/5699225488287829403
Referrer: https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7382640443023261&format=300x250&output=html&h=250&slotname=3988664373%2F1314754053&adk=4045590530&w=300&loeid=108809121&avail_w=0&ea=0&flash=13.0.0&url=https%3A%2F%2Fuk.style.yahoo.com&wgl=1&dt=1466334175173&bpp=52&bdt=16610&fdt=94&idt=3040&shv=r20160617&cbv=r20151006&saldr=aa&correlator=2329085057254&frm=24&ga_vid=1665213106.1466334178&ga_sid=1466334178&ga_hid=1730412591&ga_fc=0&pv=2&icsg=2&nhd=2&dssz=2&mdo=33554432&mso=0&u_tz=0&u_his=1&u_java=1&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_nplug=5&u_nmime=42&dfs=0&adx=0&ady=0&biw=-12245933&bih=-12245933&isw=0&ish=0&ifk=2719506870&eid=20040014&oid=3&rx=0&eae=2&pc=0&brdim=%2C%2C0%2C0%2C1600%2C0%2C1280%2C800%2C0%2C0&vis=1&rsz=%7C%7Cc%7C&abl=NS&ppjl=f&pfx=0&fu=16&bc=1&ifi=1&dtd=3169
Source: new.img.src

-------------------

 

The Delivery Path to Landing Page

Source: Banner click URL
https://googleads.g.doubleclick.net/aclk?sa=l&ai=CcMdZ43tmV4jZCInhzAaf7pTACLfZzdtEo4jyqrwBwI23ARABIMqc9yNgu46wg9AKoAGl1JDRA8gBAqgDAcgDwQSqBIABT9DHs_IXma1Ji3KX9P0EhMx1QyNBYPPpHTRxWV6cEFSmS2OleWh6xCkV61khSCT660czqGiMRov0y4VHc_Dag8D_eR1YLW4T6tla1S7qbowuvERKhFQbFdWl-ga2Pi-4pvhT9T4Jy1F4dpY-GgiAI007dyp4wmuK5gQvZWYlWomgBgKAB8Or7y6oB6a-G9gHAQ&num=1&sig=AOD64_1XiOl-TwR9fuindJ1TLUsz7GHDXQ&client=ca-pub-7382640443023261&adurl=http://www.checkspeedtab.com

 

Redirects To
https://www.googleadservices.com/pagead/aclk?sa=L&ai=CcMdZ43tmV4jZCInhzAaf7pTACLfZzdtEo4jyqrwBwI23ARABIMqc9yNgu46wg9AKoAGl1JDRA8gBAqgDAcgDwQSqBIABT9DHs_IXma1Ji3KX9P0EhMx1QyNBYPPpHTRxWV6cEFSmS2OleWh6xCkV61khSCT660czqGiMRov0y4VHc_Dag8D_eR1YLW4T6tla1S7qbowuvERKhFQbFdWl-ga2Pi-4pvhT9T4Jy1F4dpY-GgiAI007dyp4wmuK5gQvZWYlWomgBgKAB8Or7y6oB6a-G9gHAQ&num=1&client=ca-pub-7382640443023261&val=ChAyMjgwY2VlZWZiMDUwMDViEOX3mbsFGghaRQovnUkVzSABKAE&sig=AOD64_0vvd8ZbXY9q6Mnkb3XmXPK3yIqcw&adurl=http://www.checkspeedtab.com

 

Redirects To
http://www.checkspeedtab.com/?gclid=CPOV2Nz4s80CFVIaGwodtyENog

------------------------

 

Other urls related to this attack

http://www.checkspeedsearch.com/fast

http://www.checkspeedsearch.com/fast?first-run

http://checkspeedsearch.com/fast


GeoEdge Security Lab will continue to send updates on further developments. 


 

Please reload

Please reload

Browse Posts By Tags
Popular Posts
Please reload